f5835d
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
f5835d
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
f5835d
implementation) which calls the libraries that will communicate with the
f5835d
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
f5835d
this is only need on s390 architecture.
f5835d
f5835d
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
f5835d
---
f5835d
 sandbox-seccomp-filter.c | 6 ++++++
f5835d
 1 file changed, 6 insertions(+)
f5835d
f5835d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f5835d
index ca75cc7..6e7de31 100644
f5835d
--- a/sandbox-seccomp-filter.c
f5835d
+++ b/sandbox-seccomp-filter.c
f5835d
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 #ifdef __NR_exit_group
f5835d
 	SC_ALLOW(__NR_exit_group),
f5835d
 #endif
f5835d
+#if defined(__NR_flock) && defined(__s390__)
f5835d
+	SC_ALLOW(__NR_flock),
f5835d
+#endif
4369a3
 #ifdef __NR_futex
4369a3
 	SC_ALLOW(__NR_futex),
f5835d
 #endif
f5835d
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 #ifdef __NR_gettimeofday
f5835d
 	SC_ALLOW(__NR_gettimeofday),
f5835d
 #endif
f5835d
+#if defined(__NR_ipc) && defined(__s390__)
f5835d
+	SC_ALLOW(__NR_ipc),
f5835d
+#endif
f5835d
 #ifdef __NR_getuid
f5835d
 	SC_ALLOW(__NR_getuid),
f5835d
 #endif
f5835d
-- 
f5835d
1.9.1
f5835d
f5835d
getuid and geteuid are needed when using an openssl engine that calls a
f5835d
crypto card, e.g. ICA (libica).
f5835d
Those syscalls are also needed by the distros for audit code.
f5835d
f5835d
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
f5835d
---
f5835d
 sandbox-seccomp-filter.c | 12 ++++++++++++
f5835d
 1 file changed, 12 insertions(+)
f5835d
f5835d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f5835d
index 6e7de31..e86aa2c 100644
f5835d
--- a/sandbox-seccomp-filter.c
f5835d
+++ b/sandbox-seccomp-filter.c
f5835d
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 #ifdef __NR_getpid
f5835d
 	SC_ALLOW(__NR_getpid),
f5835d
 #endif
f5835d
+#ifdef __NR_getuid
f5835d
+	SC_ALLOW(__NR_getuid),
f5835d
+#endif
f5835d
+#ifdef __NR_getuid32
f5835d
+	SC_ALLOW(__NR_getuid32),
f5835d
+#endif
f5835d
+#ifdef __NR_geteuid
f5835d
+	SC_ALLOW(__NR_geteuid),
f5835d
+#endif
f5835d
+#ifdef __NR_geteuid32
f5835d
+	SC_ALLOW(__NR_geteuid32),
f5835d
+#endif
f5835d
 #ifdef __NR_getrandom
f5835d
 	SC_ALLOW(__NR_getrandom),
f5835d
 #endif
f5835d
-- 1.9.1
f5835d
f5835d
The EP11 crypto card needs to make an ioctl call, which receives an
f5835d
specific argument. This crypto card is for s390 only.
f5835d
f5835d
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
f5835d
---
f5835d
 sandbox-seccomp-filter.c | 2 ++
f5835d
 1 file changed, 2 insertions(+)
f5835d
f5835d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f5835d
index e86aa2c..98062f1 100644
f5835d
--- a/sandbox-seccomp-filter.c
f5835d
+++ b/sandbox-seccomp-filter.c
f5835d
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
f5835d
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
f5835d
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
f5835d
+	/* Allow ioctls for EP11 crypto card on s390 */
f5835d
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
f5835d
 #endif
f5835d
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
f5835d
 	/*
f5835d
-- 
f5835d
1.9.1
f5835d
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
f5835d
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
f5835d
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
f5835d
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
f5835d
 #ifdef __NR_geteuid32
f5835d
 	SC_ALLOW(__NR_geteuid32),
f5835d
 #endif
f5835d
+#ifdef __NR_gettid
f5835d
+	SC_ALLOW(__NR_gettid),
f5835d
+#endif
f5835d
 #ifdef __NR_getrandom
f5835d
 	SC_ALLOW(__NR_getrandom),
f5835d
 #endif
4369a3
4369a3
4369a3
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
4369a3
From: Harald Freudenberger <freude@linux.ibm.com>
4369a3
Date: Fri, 24 May 2019 10:11:15 +0200
4369a3
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
4369a3
4369a3
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
4369a3
to the sandbox seccomp filter rules.
4369a3
4369a3
Now the ibmca openssl engine provides elliptic curve cryptography support with the
4369a3
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
4369a3
device driver and so there is a need to enable this on the openssl sandbox.
4369a3
4369a3
Code is s390 specific and has been tested, verified and reviewed.
4369a3
4369a3
Please note that I am also the originator of the previous changes in that area.
4369a3
I posted these changes to Eduardo and he forwarded the patches to the openssl
4369a3
community.
4369a3
4369a3
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
4369a3
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
4369a3
---
4369a3
 sandbox-seccomp-filter.c | 1 +
4369a3
 1 file changed, 1 insertion(+)
4369a3
4369a3
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
4369a3
index 5edbc6946..56eb9317f 100644
4369a3
--- a/sandbox-seccomp-filter.c
4369a3
+++ b/sandbox-seccomp-filter.c
4369a3
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
4369a3
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
4369a3
 	/* Allow ioctls for EP11 crypto card on s390 */
4369a3
 	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
4369a3
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
4369a3
 #endif
4369a3
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
4369a3
 	/*